dnssec-keymgr.docbook revision f6096b958c8b58c4709860d7c4dcdde5deeacb7a
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt - Copyright (C) 2015 Internet Systems Consortium, Inc. ("ISC")
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt - Permission to use, copy, modify, and/or distribute this software for any
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt - purpose with or without fee is hereby granted, provided that the above
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt - copyright notice and this permission notice appear in all copies.
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt - PERFORMANCE OF THIS SOFTWARE.
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt<!-- Converted by db4-upgrade version 1.0 -->
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-keymgr">
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt <refentryinfo>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt <corpauthor>Internet Systems Consortium, Inc.</corpauthor>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt </refentryinfo>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt <refentrytitle><application>dnssec-keymgr</application></refentrytitle>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt <refnamediv>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt <refname><application>dnssec-keymgr</application></refname>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt <refpurpose>Ensures correct DNSKEY coverage for a zone based on a defined policy</refpurpose>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt </refnamediv>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt </copyright>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt <refsynopsisdiv>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt <arg choice="opt" rep="norepeat"><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt <arg choice="opt" rep="norepeat"><option>-c <replaceable class="parameter">file</replaceable></option></arg>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt <arg choice="opt" rep="norepeat"><option>-d <replaceable class="parameter">time</replaceable></option></arg>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt <arg choice="opt" rep="norepeat"><option>-k</option></arg>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt <arg choice="opt" rep="norepeat"><option>-z</option></arg>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt <arg choice="opt" rep="norepeat"><option>-g <replaceable class="parameter">path</replaceable></option></arg>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt <arg choice="opt" rep="norepeat"><option>-s <replaceable class="parameter">path</replaceable></option></arg>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt </cmdsynopsis>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt </refsynopsisdiv>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt <refsection><info><title>DESCRIPTION</title></info>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt is a high level Python wrapper to facilitate the key rollover
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt process for zones handled by BIND. It uses the BIND commands
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt for manipulating DNSSEC key metadata:
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt DNSSEC policy can be read from a configuration file (default
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt <filename>/etc/dnssec.policy</filename>), from which the key
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt parameters, publication and rollover schedule, and desired
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt coverage duration for any given zone can be determined. This
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt file may be used to define individual DNSSEC policies on a
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt per-zone basis, or to set a default policy used for all zones.
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt When <command>dnssec-keymgr</command> runs, it examines the DNSSEC
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt keys for one or more zones, comparing their timing metadata against
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt the policies for those zones. If key settings do not conform to the
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt DNSSEC policy (for example, because the policy has been changed),
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt they are automatically corrected.
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt A zone policy can specify a duration for which we want to
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt ensure the key correctness (<option>coverage</option>). It can
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt also specify a rollover period (<option>roll-period</option>).
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt If policy indicates that a key should roll over before the
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt coverage period ends, then a successor key will automatically be
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt created and added to the end of the key series.
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt If zones are specified on the command line,
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt <command>dnssec-keymgr</command> will examine only those zones.
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt If a specified zone does not already have keys in place, then
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt keys will be generated for it according to policy.
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt If zones are <emphasis>not</emphasis> specified on the command
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt line, then <command>dnssec-keymgr</command> will search the
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt key directory (either the current working directory or the directory
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt set by the <option>-K</option> option), and check the keys for
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt all the zones represented in the directory.
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt It is expected that this tool will be run automatically and
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt unattended (for example, by <command>cron</command>).
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt </refsection>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt <variablelist>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt <varlistentry>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt <term>-K <replaceable class="parameter">directory</replaceable></term>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt Sets the directory in which keys can be found. Defaults to the
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt current working directory.
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt </varlistentry>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt <varlistentry>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt <term>-c <replaceable class="parameter">file</replaceable></term>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt If <option>-c</option> is specified, then the DNSSEC
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt policy is read from <option>file</option>. (If not
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt specified, then the policy is read from
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt <filename>/etc/policy.conf</filename>; if that file
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt doesn't exist, a built-in global default policy is used.)
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt </varlistentry>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt <varlistentry>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt Force: allow updating of key events even if they are
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt already in the past. This is not recommended for use with
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt zones in which keys have already been published. However,
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt if a set of keys has been generated all of which have
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt publication and activation dates in the past, but the
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt keys have not been published in a zone as yet, then this
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt option can be used to clean them up and turn them into a
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt proper series of keys with appropriate rollover intervals.
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt </varlistentry>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt <varlistentry>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt Quiet: suppress printing of <command>dnssec-keygen</command>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt </varlistentry>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt <varlistentry>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt Only apply policies to KSK keys.
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt </varlistentry>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt <varlistentry>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt Only apply policies to ZSK keys.
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt </varlistentry>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt <varlistentry>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt <term>-g <replaceable class="parameter">keygen path</replaceable></term>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt Specifies a path to a <command>dnssec-keygen</command> binary.
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt Used for testing.
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt </varlistentry>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt <varlistentry>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt <term>-s <replaceable class="parameter">settime path</replaceable></term>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt Specifies a path to a <command>dnssec-settime</command> binary.
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt Used for testing.
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt </varlistentry>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt </variablelist>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt </refsection>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt <refsection><info><title>POLICY CONFIGURATION</title></info>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt The <filename>policy.conf</filename> file can specify three kinds
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt of policies:
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt <itemizedlist>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt (<option>policy <replaceable>name</replaceable> { ... };</option>)
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt can be inherited by zone policies or other policy classes; these
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt can be used to create sets of different security profiles. For
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt example, a policy class <userinput>normal</userinput> might specify
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt 1024-bit key sizes, but a class <userinput>extra</userinput> might
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt specify 2048 bits instead; <userinput>extra</userinput> would be
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt used for zones that had unusually high security needs.
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt Algorithm policies:
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt (<option>algorithm-policy <replaceable>algorithm</replaceable> { ... };</option> )
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt override default per-algorithm settings. For example, by default,
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt RSASHA256 keys use 2048-bit key sizes for both KSK and ZSK. This
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt can be modified using <command>algorithm-policy</command>, and the
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt new key sizes would then be used for any key of type RSASHA256.
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt Zone policies:
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt (<option>zone <replaceable>name</replaceable> { ... };</option> )
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt set policy for a single zone by name. A zone policy can inherit
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt a policy class by including a <option>policy</option> option.
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt </itemizedlist>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt Options that can be specified in policies:
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt <variablelist>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt <varlistentry>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt Specifies the directory in which keys should be stored.
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt </varlistentry>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt <varlistentry>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt The key algorithm. If no policy is defined, the default is
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt </varlistentry>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt <varlistentry>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt The key TTL. If no policy is defined, the default is one hour.
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt </varlistentry>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt <varlistentry>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt The length of time to ensure that keys will be correct; no action
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt will be taken to create new keys to be activated after this time.
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt This can be represented as a number of seconds, or as a duration using
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt human-readable units (examples: "1y" or "6 months").
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt A default value for this option can be set in algorithm policies
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt as well as in policy classes or zone policies.
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt If no policy is configured, the default is six months.
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt </varlistentry>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt <varlistentry>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt Specifies the number of bits to use in creating keys.
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt Takes two arguments: keytype (eihter "zsk" or "ksk") and size.
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt A default value for this option can be set in algorithm policies
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt as well as in policy classes or zone policies. If no policy is
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt configured, the default is 1024 bits for DSA keys and 2048 for
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt </varlistentry>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt <varlistentry>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt How frequently keys should be rolled over.
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt Takes two arguments: keytype (eihter "zsk" or "ksk") and a duration.
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt A default value for this option can be set in algorithm policies
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt as well as in policy classes or zone policies. If no policy is
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt configured, the default is one year for ZSK's. KSK's do not
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt roll over by default.
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt </varlistentry>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt <varlistentry>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt How long before activation a key should be published. Note: If
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt <option>roll-period</option> is not set, this value is ignored.
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt Takes two arguments: keytype (either "zsk" or "ksk") and a duration.
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt A default value for this option can be set in algorithm policies
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt as well as in policy classes or zone policies. The default is
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt </varlistentry>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt <varlistentry>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt How long after inactivation a key should be deleted from the zone.
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt Note: If <option>roll-period</option> is not set, this value is ignored.
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt Takes two arguments: keytype (eihter "zsk" or "ksk") and a duration.
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt A default value for this option can be set in algorithm policies
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt as well as in policy classes or zone policies. The default is one
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt </varlistentry>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt <varlistentry>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt Not yet implemented.
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt </varlistentry>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt </variablelist>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt </refsection>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt <refsection><info><title>REMAINING WORK</title></info>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt <itemizedlist>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt Enable scheduling of KSK rollovers using the <option>-P sync</option>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt <command>dnssec-settime</command>. Check the parent zone
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt (as in <command>dnssec-checkds</command>) to determine when it's
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt safe for the key to roll.
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt Allow configuration of standby keys and use of the REVOKE bit,
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt for keys that use RFC 5011 semantics.
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt </itemizedlist>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt </refsection>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt <citerefentry>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt <refentrytitle>dnssec-coverage</refentrytitle><manvolnum>8</manvolnum>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt </citerefentry>,
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt <citerefentry>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt </citerefentry>,
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt <citerefentry>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt <refentrytitle>dnssec-settime</refentrytitle><manvolnum>8</manvolnum>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt </citerefentry>,
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt <citerefentry>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt <refentrytitle>dnssec-checkds</refentrytitle><manvolnum>8</manvolnum>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt </citerefentry>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt </refsection>